From e8c037376568b6ce7625548f8259e6538244de34 Mon Sep 17 00:00:00 2001
From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com>
Date: Thu, 23 May 2024 16:33:28 -0500
Subject: [PATCH] adding enrichment options, updating descriptions, etc...

---
 README.md                                 | 25 +++++++++--
 data.tf                                   | 34 +++++++++++---
 examples/deployment/main.tf               | 21 ++++++---
 scale_set.tf                              | 14 +++---
 subnet.tf                                 |  2 +-
 templates/sensor_init_with_enrichment.tpl | 33 ++++++++++++++
 variables.tf                              | 55 ++++++++++++++++++-----
 versions.tf                               | 12 +++++
 8 files changed, 162 insertions(+), 34 deletions(-)
 create mode 100644 templates/sensor_init_with_enrichment.tpl
 create mode 100644 versions.tf

diff --git a/README.md b/README.md
index e1bc2a2..897cdcb 100644
--- a/README.md
+++ b/README.md
@@ -4,12 +4,29 @@ Terraform for Corelight's Azure Cloud Sensor Deployment.
 
 <img src="docs/overview.svg" alt="overview">
 
-## Getting Started
+## Usage
 ```hcl
 resource "sensor" {
-  source = "github.com/corelight/terraform-azure-sensor" 
-  
-  
+  source = "github.com/corelight/terraform-azure-sensor"
+
+  license_key                    = "<your Corelight sensor license key>"
+  location                       = "<Azure location to deploy resources in>"
+  resource_group_name            = "<resource group to deploy in>"
+  virtual_network_name           = "<virtual network where VMSS subnet should be deployed>"
+  virtual_network_resource_group = "<virtual network resource group>"
+  virtual_network_address_space  = "<virtual network address space (CIDR) used to create subnet>"
+  corelight_sensor_image_id      = "<image resource id from Corelight>"
+  sensor_api_password            = "<password for the sensor api>"
+  sensor_ssh_public_key          = "<path to ssh public key>"
+
+  # (Optional) Cloud Enrichment Variables
+  enrichment_storage_account_name   = "<name of the enrichment storage account>"
+  enrichment_storage_container_name = "<name of the enrichment container in the storage account>"
+  tags                              = {
+    foo: bar,
+    terraform: true,
+    purpose: Corelight
+  }
 }
 ```
 
diff --git a/data.tf b/data.tf
index 9be4b72..d94f9be 100644
--- a/data.tf
+++ b/data.tf
@@ -4,12 +4,34 @@ data "cloudinit_config" "config" {
 
   part {
     content_type = "text/cloud-config"
-    content = templatefile("${path.module}/templates/sensor_init.tpl", {
-      api_password   = var.sensor_api_password
-      sensor_license = var.license_key
-      mgmt_int       = "eth0"
-      mon_int        = "eth1"
-    })
+    content = templatefile("${path.module}/templates/sensor_init.tpl",
+      {
+        api_password   = var.sensor_api_password
+        sensor_license = var.license_key
+        mgmt_int       = "eth0"
+        mon_int        = "eth1"
+      }
+    )
+    filename = "sensor-build.yaml"
+  }
+}
+
+data "cloudinit_config" "config_with_enrichment" {
+  gzip          = true
+  base64_encode = true
+
+  part {
+    content_type = "text/cloud-config"
+    content = templatefile("${path.module}/templates/sensor_init_with_enrichment.tpl",
+      {
+        api_password         = var.sensor_api_password
+        sensor_license       = var.license_key
+        mgmt_int             = "eth0"
+        mon_int              = "eth1"
+        container_name       = var.enrichment_storage_container_name
+        storage_account_name = var.enrichment_storage_account_name
+      }
+    )
     filename = "sensor-build.yaml"
   }
 }
\ No newline at end of file
diff --git a/examples/deployment/main.tf b/examples/deployment/main.tf
index 921432b..dfac70d 100644
--- a/examples/deployment/main.tf
+++ b/examples/deployment/main.tf
@@ -37,14 +37,23 @@ module "sensor" {
   location                       = local.location
   resource_group_name            = azurerm_resource_group.sensor_rg.name
   virtual_network_name           = data.azurerm_virtual_network.existing_vnet.name
-  corelight_sensor_image_id      = "<image resource id from Corelight"
+  virtual_network_resource_group = "<vnet resource group>"
+  virtual_network_address_space  = "<vnet address space (CIDR)>"
+  corelight_sensor_image_id      = "<image resource id from Corelight>"
   sensor_api_password            = "<password for the sensor api>"
   sensor_ssh_public_key          = "<path to ssh public key>"
-  virtual_network_resource_group = "<vnet resource group"
 
-  # Optionally create a bastion host for accessing the sensor
-  # create_bastion_host  = true
-
-  tags = local.tags
+  # (Optional) Cloud Enrichment Variables
+  enrichment_storage_account_name   = "<name of the enrichment storage account>"
+  enrichment_storage_container_name = "<name of the enrichment container in the storage account>"
+  tags                              = local.tags
 }
 
+####################################################################################################
+# (Optional) Assign the VMSS identity access to the enrichment bucket if enabled
+####################################################################################################
+resource "azurerm_role_assignment" "enrichment_data_access" {
+  principal_id         = module.sensor.sensor_identity_principal_id
+  scope                = "<resource id of the enrichment storage account>"
+  role_definition_name = "Storage Blob Data Reader"
+}
diff --git a/scale_set.tf b/scale_set.tf
index 145d247..6948fb6 100644
--- a/scale_set.tf
+++ b/scale_set.tf
@@ -9,7 +9,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" {
   resource_group_name = var.resource_group_name
   sku                 = var.virtual_machine_size
   instances           = 1
-  custom_data         = data.cloudinit_config.config.rendered
+  custom_data         = var.enrichment_storage_account_name == "" ? data.cloudinit_config.config.rendered : data.cloudinit_config.config_with_enrichment.rendered
 
   source_image_id = var.corelight_sensor_image_id
 
@@ -20,7 +20,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" {
   os_disk {
     caching              = "ReadWrite"
     storage_account_type = "StandardSSD_LRS"
-    disk_size_gb         = 100
+    disk_size_gb         = var.virtual_machine_os_disk_size
   }
 
   health_probe_id = azurerm_lb_probe.sensor_health_check_probe.id
@@ -29,6 +29,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" {
     primary = true
 
     ip_configuration {
+      primary   = false
       name      = "management-nic-ip-cfg"
       subnet_id = azurerm_subnet.subnet.id
       load_balancer_backend_address_pool_ids = [
@@ -38,10 +39,9 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" {
   }
 
   network_interface {
-    name    = "monitoring-nic"
-    primary = false
-
+    name = "monitoring-nic"
     ip_configuration {
+      primary   = false
       name      = "monitoring-nic-ip-cfg"
       subnet_id = azurerm_subnet.subnet.id
       load_balancer_backend_address_pool_ids = [
@@ -111,4 +111,8 @@ resource "azurerm_monitor_autoscale_setting" "auto_scale_config" {
   }
 
   tags = var.tags
+
+  depends_on = [
+    azurerm_lb_probe.sensor_health_check_probe
+  ]
 }
\ No newline at end of file
diff --git a/subnet.tf b/subnet.tf
index 9e2f9cd..f86aacf 100644
--- a/subnet.tf
+++ b/subnet.tf
@@ -1,7 +1,7 @@
 resource "azurerm_subnet" "subnet" {
   name                 = var.sensor_subnet_name
   virtual_network_name = var.virtual_network_name
-  resource_group_name  = var.resource_group_name
+  resource_group_name  = var.virtual_network_resource_group
   address_prefixes = [
     cidrsubnet(var.virtual_network_address_space, 8, 1)
   ]
diff --git a/templates/sensor_init_with_enrichment.tpl b/templates/sensor_init_with_enrichment.tpl
new file mode 100644
index 0000000..8dc9f59
--- /dev/null
+++ b/templates/sensor_init_with_enrichment.tpl
@@ -0,0 +1,33 @@
+#cloud-config
+
+write_files:
+  - content: |
+      sensor:
+        api:
+          password: ${api_password}
+        license_key: ${sensor_license}
+        management_interface:
+          name: ${mgmt_int}
+          wait: true
+        monitoring_interface:
+          name: ${mon_int}
+          wait: true
+        kubernetes:
+          allow_ports:
+            - protocol: tcp
+              port: 80
+              net: 0.0.0.0/0
+            - protocol: tcp
+              port: 443
+              net: 0.0.0.0/0
+    owner: root:root
+    path: /etc/corelight/corelightctl.yaml
+    permissions: '0644'
+
+runcmd:
+  - [ corelightctl, sensor, bootstrap, -v ]
+  - [ corelightctl, sensor, deploy, -v ]
+  - |
+    echo '{"cloud_enrichment.enable": "true", "cloud_enrichment.cloud_provider": "azure","cloud_enrichment.bucket_name": "${container_name}", "cloud_enrichment.azure_storage_account": "${storage_account_name}"}' | corelightctl sensor cfg put
+
+
diff --git a/variables.tf b/variables.tf
index d2a6033..7bd82d2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -14,12 +14,12 @@ variable "license_key" {
 }
 
 variable "virtual_network_name" {
-  description = "The name of the virtual network the sensor will observe traffic in"
+  description = "The name of the virtual network the sensor will be deployed in"
   type        = string
 }
 
 variable "virtual_network_address_space" {
-  description = "The address space of the virtual network the sensor will observe traffic in"
+  description = "The address space of the virtual network the sensor be deployed in"
   type        = string
 }
 
@@ -69,26 +69,57 @@ variable "nat_gateway_name" {
 }
 
 variable "autoscale_setting_name" {
-  type    = string
-  default = "corelight-scale-set-autoscale-cfg"
+  description = "The VMSS autoscale monitor name"
+  type        = string
+  default     = "corelight-scale-set-autoscale-cfg"
 }
 
 variable "load_balancer_name" {
-  type    = string
-  default = "corelight-sensor-lb"
+  description = "The nane of the internal load balancer that sends traffic to the VMSS"
+  type        = string
+  default     = "corelight-sensor-lb"
 }
 
 variable "scale_set_name" {
-  type    = string
-  default = "vmss-sensor"
+  description = "Name of the Corelight VMSS of sensors"
+  type        = string
+  default     = "vmss-sensor"
 }
 
 variable "virtual_machine_size" {
-  type    = string
-  default = "Standard_D4s_v3"
+  description = "The VMSS VM size"
+  type        = string
+  default     = "Standard_D4s_v3"
+}
+
+variable "virtual_machine_os_disk_size" {
+  description = "The amount of OS disk to attach to the VMSS instances"
+  type        = number
+  default     = 500
+}
+
+variable "enrichment_storage_account_name" {
+  description = "(optional) the azure storage account where enrichment data is stored"
+  type        = string
+  default     = ""
+  validation {
+    condition     = var.enrichment_storage_account_name != "" && var.enrichment_storage_container_name == ""
+    error_message = "enrichment_storage_account_name and enrichment_storage_container_name must both be populated"
+  }
+}
+
+variable "enrichment_storage_container_name" {
+  description = "(optional) the container where enrichment data is stored"
+  type        = string
+  default     = ""
+  validation {
+    condition     = var.enrichment_storage_container_name != "" && var.enrichment_storage_account_name == ""
+    error_message = "enrichment_storage_account_name and enrichment_storage_container_name must both be populated"
+  }
 }
 
 variable "tags" {
-  type    = object({})
-  default = {}
+  description = "Any tags that should be applied to resources deployed by the module"
+  type        = object({})
+  default     = {}
 }
\ No newline at end of file
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..1ff2328
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.97.1"
+    }
+    cloudinit = {
+      source  = "hashicorp/cloudinit"
+      version = ">=2.3.4"
+    }
+  }
+}